Preparing for installing application components

This section provides information on how to prepare your corporate IT infrastructure for the installation of Kaspersky Anti Targeted Attack Platform components.

Preparing the IT infrastructure for installing application components

Before installing the application, prepare your corporate IT infrastructure for the installation of components of Kaspersky Anti Targeted Attack Platform:

1. Ensure that the servers, the computer intended for working with the application web interface, and the computers to be installed with the Endpoint Agent component all satisfy the hardware and software requirements.
2. To protect the network from the objects being analyzed, deny access to the local network of the Sandbox server for the management network interface and the network interface used for internet access of processed objects.
3. Prepare the corporate IT infrastructure in accordance with the table below:

   Ports for interaction between Kaspersky Anti Targeted Attack Platform components

   Source	Direction	Port or protocol	Description
   Central Node	Inbound	TCP 22	Connecting to the server over SSH
   		TCP 443	Receiving data from the Endpoint Agent (KEDR)
   		TCP 8085	Receiving data from the Endpoint Agent (NDR)
   		TCP 8443	Access to the web interface of the application
   		TCP 9081	Receiving data from Sensors installed on standalone servers
   		TCP 7423, 13520	Communication with the Sensor server
   		UDP 53
   	Outgoing	TCP 80 TCP 443 TCP 1443	Communication with the KSN servers and Kaspersky update servers
   		TCP 443	Sending objects to Sandbox for scanning
   		TCP 601	Sending messages to the SIEM system
   		UDP 53	Communication with the Sensor server
   	Inbound and outbound	ESP, AH, IKEv1, IKEv2	For interaction between Central Node and Sensor over a secure link based on the IPSec protocol
   Sensor	Inbound	TCP 22	Connecting to the server over SSH
   		TCP 1344	Receiving traffic from the proxy server
   		TCP 25	Receiving SMTP traffic from the mail server
   		TCP 443	When Sensor is used as a proxy server for communication between workstations with Endpoint Agent and Central Node
   		TCP 8085	Receiving data from the Endpoint Agent (NDR)
   		TCP 9443	Access to the web interface of the component
   		UDP 53	Communication with the Central Node server
   	Outgoing	TCP 80 TCP 443	Communication with the KSN servers and Kaspersky update servers
   		TCP 995	Integration with the mail server for secure connections
   		TCP 110	Integration with the mail server for unsecured connections
   		TCP 7423, 13520	Communication with the Central Node server
   		UDP 53
   	Inbound and outbound	ESP, AH, IKEv1, IKEv2	For interaction between Central Node and Sensor over a secure link based on the IPSec protocol
   Sandbox	Inbound (management interface)	TCP 22	Connecting to the server over SSH
   		TCP 443	Interaction with the Central Node
   		TCP 8443	Access to the web interface of the application
   	Outbound (management interface)	TCP 80 TCP 443	Communication with Kaspersky update servers
   	Outbound and corresponding inbound (interface for access of processed objects)	Any	Access to the internet for analyzing the network behavior of processed objects. Deny access to the corporate LAN to protect the network from analyzed objects.
   SCN (when using the distributed solution mode)	Outgoing	TCP 8443, 8444	For interaction between SCN and PCN over a secure link based on the IPSec protocol
   	Inbound and outbound	TCP 443, 53, 11000:11006, UDP 53 ESP, AH, IKEv1 and IKEv2
   PCN (when using the distributed solution mode)	Inbound	TCP 8443, 8444
   	Inbound and outbound	TCP 443, 53, 11000:11006, UDP 53 ESP, AH, IKEv1 and IKEv2

If you install an additional network interface that receives only mirrored traffic in a VMware ESXi virtual environment, use the E1000 network adapter or disable the LRO (large receive offload) option on a VMXNET3 network adapter.

Preparing the IT infrastructure for integration with a mail server used for receiving messages via POP3

If you are using a Microsoft Exchange mail server as your mail server and an email sender configured a request for read receipt notification, you must disable read receipt notifications. Otherwise, read receipt notifications will be sent from the email address that you have configured as the email address used for receiving messages of Kaspersky Anti Targeted Attack Platform. You must also disable automatic processing of meeting requests to prevent filling of the mailbox used for receiving messages of Kaspersky Anti Targeted Attack Platform.

To disable sending read receipt notifications from the email address used for receiving messages of Kaspersky Anti Targeted Attack Platform:

1. On the Microsoft Exchange server, check whether or not notifications are enabled. To do so, execute the command:

   Get-MailboxMessageConfiguration -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> | fl

2. If notifications are enabled, run the following command:

   Set-MailboxMessageConfiguration -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> -ReadReceiptResponse NeverSend

This will disable read receipt notifications from the email address used for receiving messages of Kaspersky Anti Targeted Attack Platform.

To disable automatic processing of meeting requests:

1. On the Microsoft Exchange server, check whether or not notifications are enabled. To do so, execute the command:

   Get-CalendarProcessing -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> | fl

2. If automatic processing of meeting requests is enabled, run the following command:

   Set-CalendarProcessing -Identity <email address for receiving messages by Kaspersky Anti Targeted Attack Platform> -AutomateProcessing:None

Automatic processing of meeting requests will be disabled.

Preparing the IT infrastructure for integration with a mail server used for receiving messages via SMTP

To prepare your corporate IT infrastructure for Kaspersky Anti Targeted Attack Platform integration with a mail server over the SMTP protocol:

1. On the external mail server, configure rules for forwarding copies of the messages that you want to send for scanning by Kaspersky Anti Targeted Attack Platform to the addresses specified in Kaspersky Anti Targeted Attack Platform.
2. Specify the route for forwarding email messages to the Sensor server.

   It is recommended to specify a static route – IP address of the Sensor server.

3. Configure the firewall of your organization to allow inbound connections to port 25 of the Sensor server from mail servers that are forwarding copies of email messages.

You can also improve the security of Kaspersky Anti Targeted Attack Platform integration with a mail server over the SMTP protocol.

To improve the security of Kaspersky Anti Targeted Attack Platform integration with a mail server over the SMTP protocol.

1. Configure authentication of the Kaspersky Anti Targeted Attack Platform server on the side of the mail servers forwarding email messages for Kaspersky Anti Targeted Attack Platform.
2. Configure mandatory encryption of traffic on mail servers that are forwarding email messages for Kaspersky Anti Targeted Attack Platform.
3. Configure authentication of mail servers forwarding email messages for Kaspersky Anti Targeted Attack Platform on the Kaspersky Anti Targeted Attack Platform side.

Preparing the virtual machine for installing the Sandbox component

To prepare the virtual machine for installing the Sandbox component:

1. Run the VMware ESXi hypervisor.
2. Open the virtual machine management console.
3. In the context menu of the virtual machine on which you want to install the Sandbox component, choose Edit Settings.

   This opens the virtual machine properties window.

4. On the Virtual Hardware tab, expand the CPU settings group and select the Expose hardware-assisted virtualization to guest OS check box.
5. On the VM Options tab in the Latency Sensitivity drop-down list, select High.
6. Click Ok.

The virtual machine is ready for installing the Sandbox component.

Preparing an installation disk image with the Central Node, Sensor, and Sandbox components

Before installing the application, you must prepare an iso image of the installation disk with the Central Node, Sensor, and Sandbox components based on the Astra Linux operating system.

Minimum hardware requirements for a device that can be used to create the iso image:

• CPU: 4 cores, clock rate 2500 MHz or more.
• RAM: 8 GB.
• Available disk space: 100 GB.

Software requirements:

• Operating system based on an up-to-date Linux kernel.
• Docker 20 or later
• Availability of the iso image of the Astra Linux Special Edition 1.7.5

  Kaspersky Anti Targeted Attack Platform does not support other versions of the Astra Linux operating system.

To mount an iso image of the Central Node and Sensor or Sandbox components based on the Astra Linux operating system:

1. From the distribution kit, download the Central Node and Sensor component distribution kit (kata-cn-distribution-7.0.3.520-x86_64_en-ru-zh.tar.gz), the Sandbox component distribution kit (kata-sb-distribution-7.0.3.520-x86_64_en-ru.tar.gz), and the file named iso-builder-7.0.3.520-x86_64_en-ru.tar.
2. Create an iso_builder.sh file with the following content.

   # $1 - absolute source_iso_host_path

   # $2 - absolute distribution_host_path

   # $3 - absolute iso_builder_image_host_path

   # $4 - absolute build_host_path

   # $5 - absolute target_iso_name

   docker load -i $3

   docker run -v $1:$1 -v $2:$2 -v $4:/build kaspersky/kata/deployment/iso_builder:6.0 --source-iso-uri file://$1 --kata-distribution-uri file://$2 --target-iso-name $5

3. Run the mkdir /var/kata_builder command.
4. Put the files listed in step 1 in the newly created /var/kata_builder directory. Make sure that the Astra Linux Special Edition 1.7.5 iso image is named installation-1.7.5.16-06.02.24_14.21.iso. If the name of the iso image is different, please rename it.
5. Run the following command:
   • If you are preparing a disk image with the Central Node and Sensor components: sudo ./iso_builder.sh /var/kata_builder/installation-1.7.5.16-06.02.24_14.21.iso /var/kata_builder/kata-cn-distribution-7.0.3.520-x86_64_en-ru-zh.tar.gz /var/kata_builder/iso-builder-7.0.3.520-x86_64_en-ru.tar /var/kata_builder buildCNSensorAstra.iso
   • If you are preparing a disk image with the Sandbox component: sudo ./iso_builder.sh /var/kata_builder/installation-1.7.5.16-06.02.24_14.21.iso /var/kata_builder/kata-sb-distribution-7.0.3.520-x86_64_en-ru.tar.gz /var/kata_builder/iso-builder-7.0.3.520-x86_64_en-ru.tar /var/kata_builder buildSandboxAstra.iso

After running the commands, the installation disk images with the Central Node and Sensor components named buildCNSensorAstra.iso and buildSandboxAstra.iso are located in the /var/kata_builder directory.

If you use other directories for storing files, you can run the command as follows: sudo ./iso_builder.sh <source_iso_host_path> <distribution_host_path> <iso_builder_image_host_path> <build_host_path> <target_iso_name>, where:

• source_iso_host_path is the path to the distribution kit of the Astra Linux Special Edition 1.7.5.
• distribution_host_path is the path to the distribution kit: kata-cn-distribution-7.0.3.520-x86_64_en-ru-zh.tar.gz or kata-sb-distribution-7.0.3.520-x86_64_en-ru.tar.gz.
• iso_builder_image_host_path is the path to the iso-builder-7.0.3.520-x86_64_en-ru.tar file.
• build_host_path is the path where the mounted ISO image must be located, without specifying the name being assigned to the ISO image.
• target_iso_name is the name that is being assigned to the ISO image.